Information Commissioner’s Office struggling to recoup data breach debts, report suggests

Of the 152 fines issued by the ICO since 2015, 30% of them remain unpaid, a new report states

Up to 68% of fines issued by the UK’s Information Commissioner’s Office (ICO) since January 2019 remain unpaid, a report has revealed.

The ICO is responsible for issuing financial penalties to organizations who are deemed in breach of the Data Protection Act – the UK’s implementation of the General Data Protection Regulation (GDPR) – and thus failing to protect their customers’ data

Before GDPR came into force in May 2018, monetary penalties for data breaches ranged from £1,000 ($1,300) to £500,000 ($670,000).

After the new act was introduced, organizations could be fined up to €10 million ($12 million), or 2% of annual turnover, whichever is greater.

Figures unearthed via a Freedom of Information (FOI) request, however, show a significant delay between fines being issued and being paid.

Unsettled debts

The FOI request, submitted by The SMS Works, disclosed a breakdown of paid and unpaid penalties handed out by the UK’s data privacy regulator since 2015.

The data revealed that since January 2019 and August 2020, after the introduction of GDPR, 21 fines were issued – only nine, however, have been settled.

The same information also showed there are currently just over £7 million ($9.5 million) worth of unpaid debt owing to the ICO – 42% of the total fines issued since 2015.

“Of the 152 fines issued since 2015, 47 or 30% of them remain unpaid,” a blog post from The SMS Works reads.

“The total amount fined was £16.6 million ($22.5 million) and £7.05 million remains uncollected, that’s a staggering 42% of the total.


Of the 152 fines issued by the ICO since 2015, 30% of them remain unpaid, a new report statesOf the 152 fines issued by the ICO since 2015, 30% of them remain unpaid, a new report states


“Crunching the numbers further reveals which type of organizations are avoiding paying,” the blog post adds.

“Not surprisingly charities and public organizations stood up to their responsibilities, with 100% of fines being paid.”

In contrast, The SMS Works researchers said that the claims management industry is less enthusiastic to settle their balance sheet, with 84% of fines involving the sector being unpaid.

“Faced with a huge bill for their illegal and distressing activities, most companies simply fold, leaving the bill unpaid and the ICO almost no chance of recovering the debt,” the report adds.

Pay up or shut down

In an email to The Daily Swig, the ICO echoed this statement.

“Many nuisance call companies fined under Privacy and Electronic Communications Regulations go into liquidation,” a spokesperson explained.

“While in some respects, a firm going into liquidation marks a frustrating end to our investigations, it’s worth noting that when nuisance call companies go out of business, they stop making calls. And that’s a successful outcome.”

The ICO neither confirmed nor denied the findings in the blog post, but a spokesperson did offer their explanation as to why so many debts have yet to be recovered.

“Organizations have the right to appeal any regulatory action issued by the ICO and this can delay payment of a fine,” the ICO spokesperson told The Daily Swig.

They added: “The ICO’s Financial Recovery Unit seeks to recover assets from all companies avoiding fines; this can involve serving statutory demands; obtaining orders for recovery from the courts; and petitioning for the winding up of companies or bankruptcy of individuals.


Read more of the latest data breach news


“We actively exercise our rights as a creditor, including nominating insolvency practitioners whose investigations can result in personal claims against directors. We also work closely with the Insolvency Service in these cases, to support action to disqualify the worst offenders from running companies in the future.

“Since Jan 2019, nine fines have been paid, eight fines are in the process of being recovered and six are under appeal.

“Over the same period 17 directors have been disqualified for 100 years and a sole trader also signed a Bankruptcy Restriction Undertaking for six years in connection with ICO fines.”


YOU MAY ALSO LIKE UK organizations becoming more resilient to data breaches and cyber-attacks